Privilege 15 login not working?

just2cool

Gawd
Joined
Sep 22, 2005
Messages
524
Hello, I can't seem to get privilege 15 working on a Cisco 3750G switch. It doesn't even matter if I disable ssh and enable telnet instead -- it still doesn't work.

Here are sections of the run config that matter:

phys#sh run | i username
username admin secret 5 <PASSWORD>
username justin privilege 15 secret 5 <PASSWORD>

I'd imagine that something is missing here:
phys#sh run | i aaa
aaa new-model
aaa session-id common

phys#sh run | b vty 0 4
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
end

Login with justin via ssh gives me:
phys>sh priv
Current privilege level is 1
phys>

I don't feel like doing this everytime:
phys>en
Password:
phys#

I'm pulling my hair out...and I know that I must be doing something really stupid. I'm still rather new to Cisco equipment, but I should be able to do this! Any ideas?
 

moetop

[H]ard|Gawd
Joined
Apr 8, 2004
Messages
1,471
Can you do that without a AAA server and users and levels defined in their?
 

cb9fl

Limp Gawd
Joined
Jan 2, 2006
Messages
456
aaa authentication login local_authen local
aaa auhtorization exec local_author local
 

Fint

[H]ard|Gawd
Joined
Jun 11, 2004
Messages
1,046
That's a pretty silly thing to do, with regard to security (if someone gets the password to your 'justin' account they also have privilege on your router... two *different* passwords to compromise make it more difficult). Let me guess, you log into your workstation as a domain admin too, right?
 

Bean Dip

Limp Gawd
Joined
Feb 28, 2004
Messages
211
I ran into this same thing a few months back and could not figure it out. I was trying to create a helpdesk local user with priviledge level 5 and a limited command set. I knew it was because of AAA because if I disabled AAA then it worked.

just2cool, I am interested in finding out if the commands cb9fl posted solves your problem.
 

just2cool

Gawd
Joined
Sep 22, 2005
Messages
524
That's a pretty silly thing to do, with regard to security (if someone gets the password to your 'justin' account they also have privilege on your router... two *different* passwords to compromise make it more difficult). Let me guess, you log into your workstation as a domain admin too, right?

Well, no. I know it looks like I'm just going to create an admin account. But in reality, I was just surprised that it wouldn't let me use anything above priv 1, including priv 15, even though I explicitly defined it. My intent was to try to come up with lower privs similar to Bean Dip since this will be managed by several new people.

Anyhow, those aaa commands didn't work. And yes, I fixed the typo in the second one, but still no dice.

Any other ideas? I guess I need an external RADIUS server?
 

just2cool

Gawd
Joined
Sep 22, 2005
Messages
524
Hmm. I seemed to have fixed it and it was very close to cb9fl's suggestion.

Two commands:
aaa authentication login default local enable
aaa authorization exec default local if-authenticated

Users:
phys#sh run | i user
username user5 privilege 5 secret 5 <PASSWORD>
username user15 privilege 15 secret 5 <PASSWORD>

Test:
$ ssh user5@phys
user5@phys's password:

phys#sh priv
Current privilege level is 5
phys#conf t
^
% Invalid input detected at '^' marker.

phys#logo
Connection to phys closed.

$ ssh user15@phys
user15@phys's password:

phys#conf t
Enter configuration commands, one per line. End with CNTL/Z.
phys(config)#^Z
phys#logo
Connection to phys closed.


Much more information:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/secsols/aaasols/c262c2.htm
 
Top